Cyberattack on Kazakhstan's Largest Oil Company Was 'Simulation' - Dark Reading

Cyberattacks & Data BreachesThreat IntelligenceVulnerabilities & ThreatsICS/OT SecurityNewsBreaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia PacificCyberattack on Kazakhstan's Largest Oil Company Was 'Simulation'Researchers thought a Russian APT used a compromised employee email to attack Kazakhstan's biggest oil company. The company later confirmed it was a pen test.Nate Nelson,Contributing WriterSeptember 11, 20254 Min ReadSource: Daniren via Alamy Stock PhotoUPDATEA cybersecurity company acknowledged that malicious activity targeting a Kazakhstan oil and gas company that it initially attributed to a likely Russian threat group was actually a large-scale phishing exercise.From a distance, it looked like a full-on cyber campaign from a new threat actor, likely based in Russia, which researchers from Seqrite Labs took the liberty of naming "Noisy Bear." They spotted similar telemetry in attacks across Central Asia, they said, with a particularly notable case of espionage against Kazakhstan oil giant ҚазМұнайГаз (anglicized as "KazMunayGas," or KMG for short).After communicating with KMG, one week after first reporting the incident, the researchers came to realize that it was merely a red team exercise. "Thankfully, as KMG has publicly acknowledged, this was not an actual cyberattack but an internal simulation exercise," the company said in an update to its original report.Related:Chinese Police Use ChatGPT to Smear Japan PM TakaichiThe simulation featured tactics, techniques, and procedures (TTPs) observed in other cyberattacks in the region, along with some advanced stealth techniques.Simulated Russian Attack ChainWith a compromised email address belonging to a KMG finance department employee, the red team attackers sent phishing emails to various other employees. The emails were made to impersonate mundane company business — recipients were tasked with reviewing work schedules, incentive systems, and wages "in connection with recent changes in corporate policy." The intentionally banal subject matter was contradicted somewhat by the manufactured urgency with which it was presented — the subject line said "URGENT!" and the note urged recipients to address the contents of the email within days of receiving it.The email pointed recipients to a zip file, containing within it a decoy document and a shortcut (LNK) file deceptively named "Salary Schedule.lnk." When executed, the LNK downloaded a batch script, which in turn retrieved the attackers' PowerShell loader, dubbed "DownShell."DownShell consists of two complementary scripts. The first is tasked with anti-analysis, by undermining the Windows Antimalware Scan Interface (AMSI).AMSI is a bridge that allows any antimalware programs to scan other applications and services on the same system for malicious code. For example, if a script is loaded to be run in PowerShell, or a file about to execute in an Office program, AMSI passes the content to Microsoft Defender or a third-party antivirus program, which checks it for potential threats. Related:Singapore & Its 4 Major Telcos Fend Off Chinese HackersTo get around this and execute its malicious loader, Noisy Bear used a known bypass trick. Without need for any special privileges or particularly sophisticated code, the hackers toggled a setting within PowerShell that, when true, indicates to the program that AMSI has failed to initialize.Now that AMSI was "broken," the coast was clear for DownShell's second-stage script, the actual loader. This script's big trick was CreateRemoteThread Injection. In simple terms, it hijacked a normal Windows process — File Explorer — and forced it to create a new, hidden task where its malicious code could run under the protective guise of that legitimate process. That code established a reverse shell for the attackers.Cybersecurity in Central AsiaIn communications with Seqrite Labs, KMG clarified that it was not attacked — it merely conducted a security exercise. Seqrite Labs initially pushed back on KMG's denials. In comments to Dark Reading this week, the company claimed that aspects of the attacks, such as forensic evidence and the use of a sanctioned Russian bulletproof hosting provider, Aeza Group, indicated the activity was conducted by threat actors. However, in an update to its original report, Seqrite Labs confirmed it was no a real cyberattack.Related:Senegalese Data Breaches Expose Lack of Security MaturityThe simulation reflects broader threats faced by organizations in the region. Seqrite Labs researchers said that "beyond Kazakhstan’s oil and gas sector, we’ve seen infrastructure and tooling overlaps across other Central Asian targets," pointing, for example, to the Silent Lynx group.In theory, KMG could be of particular interest to Russian attackers, or anyone else interested in Central Asia. It's not just a state-owned oil and gas company, or Kazakhstan's largest such company, raking in billions of dollars every year. It's also the country's largest company, full stop. Much of its customer base is in Europe where, amid Putin's security threats to the European Union (EU) and Ukraine, some countries have been trying to wean themselves off of Russian gas.Dark Reading contacted KMG for comment and will update this article should a company representative reply.This story was updated on Sept, 11, 2025 at 5:15 p.m. ET, after the researchers acknowledged the event was a red team exercise, not a real cyberattack.Read more about:DR Global Middle East & AfricaAbout the AuthorNate NelsonContributing WriterNate Nelson is a journalist and scriptwriter. He writes for "Darknet Diaries" — the most popular podcast in cybersecurity — and co-created the former Top 20 tech podcast "Malicious Life." Before joining Dark Reading, he was a reporter at Threatpost.See more from Nate NelsonWant more Dark Reading stories in your Google search results?Add Us NowMore InsightsIndustry ReportsFrost Radar™: Non-human Identity Solutions2026 CISO AI Risk ReportThe ROI of AI in SecurityCybersecurity Forecast 2026ThreatLabz 2025 Ransomware ReportAccess More ResearchWebinarsBuilding a Robust SOC in a Post-AI WorldRetail Security: Protecting Customer Data and Payment SystemsRethinking SSE: When Unified SASE Delivers the Flexibility Enterprises NeedSecuring Remote and Hybrid Work Forecast: Beyond the VPNAI-Powered Threat Detection: Beyond Traditional Security ModelsMore WebinarsEditor's ChoiceCybersecurity OperationsWhy Stryker's Outage Is a Disaster Recovery Wake-Up CallWhy Stryker's Outage Is a Disaster Recovery Wake-Up CallbyJai VijayanMar 12, 20265 Min ReadWant more Dark Reading stories in your Google search results?2026 Security Trends & OutlooksThreat IntelligenceCybersecurity Predictions for 2026: Navigating the Future of Digital ThreatsJan 2, 2026Cyber RiskNavigating Privacy and Cybersecurity Laws in 2026 Will Prove DifficultJan 12, 2026|7 Min ReadEndpoint SecurityCISOs Face a Tighter Insurance Market in 2026Jan 5, 2026|7 Min ReadThreat Intelligence2026: The Year Agentic AI Becomes the Attack-Surface Poster ChildJan 30, 2026|8 Min ReadDownload the CollectionKeep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeWebinarsBuilding a Robust SOC in a Post-AI WorldThurs, March 19, 2026 at 1pm ESTRetail Security: Protecting Customer Data and Payment SystemsThurs, April 2, 2026 at 1pm ESTRethinking SSE: When Unified SASE Delivers the Flexibility Enterprises NeedWed, April 1, 2026 at 1pm ESTSecuring Remote and Hybrid Work Forecast: Beyond the VPNTues, March 10, 2026 at 1pm ESTAI-Powered Threat Detection: Beyond Traditional Security ModelsWed, March 25, 2026 at 1pm ESTMore WebinarsWhite PapersAutonomous Pentesting at Machine Speed, Without False PositivesFixing Organizations' Identity Security PostureBest practices for incident response planningIndustry Report: AI, SOC, and Modernizing CybersecurityThe Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks.Explore More White PapersGISEC GLOBAL 2026GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills.📌 Book Your Space